Methods and systems for ransomware detection, isolation and remediation
Abstract
Ransomware detection and/or isolation and/or remediation of a ransomware-encryption device is performed in a Remote Monitoring and Management (RMM) system environment. The RMM system is operatively associated with monitoring and managing a plurality of devices and, according to an exemplary embodiment, the RMM system includes a RMM agent module locally installed on each device, a cloud-based RMM platform operatively communicating with each device RMM agent module, and a Ransomware Detection (RD)/Isolation module locally installed on each device. The RD/Isolation module locally detects a potential ransomware-encryption in one or more files received by the device and the RMM system isolates a ransomware affected device using a locally executed script provided by the cloud-based RMM platform.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A RMM (Remote Monitoring and Management) system operatively associated with monitoring and managing a plurality of devices, including ransomware detection, the RMM system comprising:
one or more processors and one or more memory components communicatively coupled with a data storage device on which is stored one or more sets of instructions wherein the one or more sets of instructions include instructions for:
a RMM agent module locally installed on each device and operatively communicating with an OS (operating system) installed on each device;
a cloud-based RMM platform operatively communicating with each device RMM agent module, the cloud-based RMM Platform configured to monitor and manage each of the plurality of devices; and
a RD (Ransomware Detection) module locally installed on each device and operatively communicating with each respective device RMM agent module,
the one or more sets of instructions, in response to being executed by the one or more processors, cause the system to perform operations, the operations comprising:
a) receiving from the RMM platform ransomware monitor configuration data, the ransomware monitor configuration data including one or more watch-items including a list of one or more files, drives, and volumes to monitor for ransomware detection;
b) initiating a filewatcher and filewatcher handler to monitor and receive callbacks for create, delete, update, and rename file-events associated with the watch-items, the filewatcher adding each create, delete, update and rename file-event to a metadata watch-item file-event queue, the metadata watch-item file-event queue including raw watch-item file-event data associated with each create, delete, update, and rename file-event associated with the watch-items, the raw-data including one or more of fileobjects and parent folders identified in the watch-item file-event; and
c) a scheduler processing the metadata watch-item file-event queue according to a preset time-based schedule, the scheduler processing any watch-item file-event data included in the metadata watch-item file-event queue to determine a ransomware-alert state (RW-alert state) of the RD module, the scheduler operatively associated with an entropy-analysis-based ransomware detection process to detect potential ransomware-encryption of one or more of the watch-items listed in the watch-item file-event queue and generate the RW-alert state which is representative of a positive or negative detection of ransomware-encryption of one or more of the watch-items listed in the watch-item file-event queue.
2. The RMM (Remote Monitoring and Management) system operatively associated with monitoring and managing a plurality of devices according to claim 1 , wherein the plurality of devices include one or more of a PC (Personal Computer), desktop computer, tablet PC, a set-top box (STB), a Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a server, a network router, a switch or a bridge.
3. The RMM (Remote Monitoring and Management) system operatively associated with monitoring and managing a plurality of devices according to claim 1 , wherein the preset time-based schedule includes the scheduler generating timer events at a time interval of t, and t equals 1-20 seconds.
4. The RMM (Remote Monitoring and Management) system operatively associated with monitoring and managing a plurality of devices according to claim 1 , wherein the OS is one of a MICROSOFT WINDOWS® operating system, a macOS® operating system, a UNIX® operating system, and a LINUX® operating system.
5. The RMM (Remote Monitoring and Management) system operatively associated with monitoring and managing a plurality of devices according to claim 1 , wherein the RD module is implemented as a dll (dynamic link library) call function.
6. The RMM (Remote Monitoring and Management) system operatively associated with monitoring and managing a plurality of devices according to claim 1 ,
step a) further comprising receiving from the RMM platform ransomware monitor configuration data including an exclusion list of one or more files, drives, and volumes to exclude from monitoring for ransomware detection; and
step b) further comprising the filewatcher handler ignoring each create, delete, update and rename file-event included in the exclusion list.
7. The RMM (Remote Monitoring and Management) system operatively associated with monitoring and managing a plurality of devices according to claim 1 , step b) further comprising:
collapsing the raw watch-item file-event data.
8. The RMM (Remote Monitoring and Management) system operatively associated with monitoring and managing a plurality of devices according to claim 1 , step c) further comprising:
the scheduler generating timer events according to the preset time-based schedule; and
at each timer event, the scheduler determining if the metadata watch-item file-event queue includes any watch-item file-event data,
if the metadata watch-item file-event queue does not include any watch-item file-event data, the scheduler terminates until the next timer event is generated, and
if the metadata watch-item file-event queue includes any watch-item file-event data, the scheduler extracts the watch-item file-event data, clears the metadata watch-item file-event queue, and processes the extracted watch-item file-event data to determine a RD-module state, the RD-module state including one of abort, continue and RW-alert, the abort state indicating a negative detection of ransomware-encryption of one or more of the watch-items listed in the watch-item file-event queue, the continue state indicating an inconclusive determination of ransomware-encryption of one or more of the watch-items listed in the watch-item file-event queue, and the RW-alert state indicating a detection of ransomware-encryption of one or more of the watch-items listed in the watch-item file-event queue.
9. The RMM (Remote Monitoring and Management) system operatively associated with monitoring and managing a plurality of devices according to claim 1 , wherein an abort state determination clears a RD-module state, a continue state carries over a previously determined RD-module state and the RW-alert state generates a notification to the RMM platform, the notification including information about one or more suspected ransomware-encryption files.
10. The RMM (Remote Monitoring and Management) system operatively associated with monitoring and managing a plurality of devices according to claim 1 , step c) further comprising:
if the metadata watch-item file-event queue includes any watch-item file-event data, the scheduler extracts the watch-item file-event data and performs one or more of the following:
collapsing file-events associated with the watch-item file-event data into one or more other create, delete, update, and rename file file-events;
analyzing the watch-item file-event data to determine if the associated file events are consistent with one or more predetermined file update patterns representative of a potential ransomware-encryption; and
analyzing the watch-item file-event data to determine if the associated file events include one or more of an encryption of a minimum number of files, an encryption of a minimum percentage of files, a low frequency encryption of the files, and a high frequency encryption of the files.
11. A system, comprising:
one or more processors and one or more memory components communicatively coupled with a data storage device on which is stored one or more sets of instructions wherein the one or more sets of instructions include instructions for:
a Ransomware Detection (RD) and Isolation module operatively associated with a cloud-based RMM (Remote Monitoring and Management) platform for monitoring and managing a plurality of devices, the RD and Isolation module comprising:
a dynamic link library file and API (Application Programming Interface),
the one or more sets of instructions, in response to being executed by the one or more processors, cause the system to perform operations, the operations comprising:
a) a RD module receiving from a RMM platform ransomware monitor configuration data, the ransomware monitor configuration data including one or more watch-items including a list of one or more files, drives, and volumes to monitor for ransomware detection;
b) the RD module initiating a filewatcher and filewatcher handler to monitor and receive callbacks for create, delete, update, and rename file-events associated with the watch-items, the filewatcher adding each create, delete, update and rename file-event to a metadata watch-item file-event queue, the metadata watch-item file-event queue including raw watch-item file-event data associated with each create, delete, update, and rename file-event associated with the watch-items, the raw-data including one or more of fileobjects and parent folders identified in the watch-item file-event;
c) a RD module scheduler processing the metadata watch-item file-event queue according to a preset time-based schedule, the scheduler processing any watch-item file-event data included in the metadata watch-item file-event queue to determine a ransomware-alert state (RW-alert state) of the RD module, the scheduler operatively associated with an entropy-analysis-based ransomware detection process to detect potential ransomware-encryption of one or more of the watch-items listed in the watch-item file-event queue and generate the RW-alert state which is representative of a positive or negative detection of ransomware-encryption of one or more of the watch-items listed in the watch-item file-event queue;
d) in response to a positive RSV-alert state detected on a ransomware affected device, the RMM platform transmitting isolation script to the ransomware affected device; and
e) the ransomware affected device running the isolation script, the isolation script maintaining the device communication with the RMM platform and disabling the ransomware affected device communication to all other internal and external network locations, the isolation script including:
e1) changing the ransomware affected device network information pertinent to the ransomware affected device network connection to the RMM platform from a temporary DHCP (Dynamic Host Configuration Protocol) IP address assignment to a static IP address assignment, the network information including one or more of an internal IP (Internet Protocol) address of one or more active network adapters, inactive network adapters, a subnet mask of the one or more network adapters, a default gateway assignment of the one or more network adapters;
e2) nullifying local network and external network information on the ransomware affected device rendering the ransomware affected device unable to access any internal and external network, the nullified local and external network information including one or more of DNS (Domain Name System) server assignments for associated network adapters, default gateways of the associated network adapters, routing table of the ransomware affected device, routing information base of the ransomware affected device, ARP (Address Resolution Protocol) cache and NetBIOS cache; and
e3) re-adding to the ransomware affected device routing table the pertinent network information changed to an unchanging DHCP configuration in step e1) directly linking the default gateway IP stored in step e1) to reestablish a network connection from the ransomware affected device to the RMM platform, the re-added network information including one or more of IP addresses for a partner RMM geographical platform, DNS servers, and the ransomware affected devices' HOSTS file; and
f) the ransomware affected device communicating to the RMM platform over the RMM platform network connection isolation status information of the ransomware affected device.
12. The system of claim 11 , the operations further comprising:
step e4) determining a geographical RMM platform being used, collecting relevant IP addresses of the determined geographical RMM platform and listing the relevant IP addresses in a routing list; and
step e5) adding each IP address from the routing list to a device local routing table with a link directly to an IP address of the device default gateway setting with a subnet mask of a fixed value, thereby ensuring a direct link between the RMM platform servers and the gateway while removing the default gateway assignment which nullifies all connectivity between the device and any other network internal and external services.
13. The system of claim 11 , wherein the device is running a MICROSOFT WINDOWS® OS (operating system) and the isolation script includes:
using an OS registry to disable APIPA (Automatic Private IP Addressing) service to force the device to use the script provided information;
disabling and stopping an OS LanManWorkstation service to disable the device from accessing mapped network drives;
using OS NetSH and NBTStat tools, clearing the ARP and NetBIOS caches from the device; and
using NSPBind tool to disable IPv6 connectivity.
14. The system of claim 11 , wherein the isolation script includes disabling IPv6 connectivity on the device and maintaining IPv4 connectivity.
15. The system of claim 11 , wherein the isolation script includes storing configuration associated with one or more of the device's active and inactive internet adapters in an OS registry to reestablish normal connectivity at a later time.
16. The system of claim 11 , wherein the plurality of devices include one or more of a PC (Personal Computer), desktop computer, tablet PC, a set-top box (STB), a Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a server, a network router, a switch or a bridge.
17. The system of claim 11 , wherein the preset time-based schedule includes the scheduler generating timer events at a time interval of t, and t equals 1-20 seconds.
18. The system of claim 11 , wherein the RD module is implemented as a dll (dynamic link library) call function.
19. The system of claim 11 , the operations further comprising:
step a) further comprising receiving from the RMM platform ransomware monitor configuration data including an exclusion list of one or more files, drives, and volumes to exclude from monitoring for ransomware detection; and
step b) further comprising the filewatcher handler ignoring each create, delete, update, and rename file-event included in the exclusion list.
20. The system of claim 11 , the operations further comprising:
the scheduler generating timer events according to the preset time-based schedule; and
at each timer event, the scheduler determining if the metadata watch-item file-event queue includes any watch-item file-event data,
if the metadata watch-item file-event queue does not include any watch-item file-event data, the scheduler terminates until the next timer event is generated, and
if the metadata watch-item file-event queue includes any watch-item file-event data, the scheduler extracts the watch-item file-event data, clears the metadata watch-item file-event queue, and processes the extracted watch-item file-event data to determine a RD-module state, the RD-module state including one of abort, continue and RW-alert, the abort state indicating a negative detection of ransomware-encryption of one or more of the watch-items listed in the watch-item file-event queue, the continue state indicating an inconclusive determination of ransomware-encryption of one or more of the watch-items listed in the watch-item file-event queue, and the RW-alert state indicating a detection of ransomware-encryption of one or more of the watch-items listed in the watch-item file-event queue.
21. A RMM (Remote Monitoring and Management) system operatively associated with monitoring and managing a plurality of devices, including ransomware detection, the RMM system comprising:
one or more processors and one or more memory components communicatively coupled with a data storage device on which is stored one or more sets of instructions wherein the one or more sets of instructions include instructions for:
a RMM agent module locally installed on each device and operatively communicating with an OS (operating system) installed on each device;
a cloud-based RMM platform operatively communicating with each device RMM agent module, the cloud-based RMM Platform configured to monitor and manage each of the plurality of devices; and
a RD (Ransomware Detection) module locally installed on each device and operatively communicating with each respective device RMM agent module,
the one or more sets of instructions, in response to being executed by the one or more processors, cause the system to perform operations, the operations comprising:
a) receiving from the RMM platform ransomware monitor configuration data, the ransomware monitor configuration data including one or more watch-items including a list of one or more files, drives, and volumes to monitor for ransomware detection;
b) initiating a filewatcher and filewatcher handler to monitor and receive callbacks for create, delete, update, and rename file-events associated with the watch-items, the filewatcher adding each create, delete, update and rename file-event to a metadata watch-item file-event queue, the metadata watch-item file-event queue including raw watch-item file-event data associated with each create, delete, update, and rename file-event associated with the watch-items, the raw-data including one or more of fileobjects and parent folders identified in the watch-item file-event;
c) a scheduler processing the metadata watch-item file-event queue according to a preset time-based schedule, the scheduler processing any watch-item file-event data included in the metadata watch-item file-event queue to determine a ransomware-alert state (RW-alert state) of the RD module, the scheduler operatively associated with an entropy-analysis-based ransomware detection process to detect potential ransomware-encryption of one or more of the watch-items listed in the watch-item file-event queue and generate the RW-alert state which is representative of a positive or negative detection of ransomware-encryption of one or more of the watch-items listed in the watch-item file-event queue; and
d) if a RW-alert state is positive, the RD module performing a first remediation method to identify and kill a ransomware process associated with the RW-alert; The first remediation method including:
d1) determining all running processes that were started prior to the detection time of a first encrypted file, and started less than a predetermined time before the detection time;
d2) of the determined running processes in step d1), determine the currently running process, not included in an exclusion process list, with a highest average accumulated kernel-CPU time and associated with a number of OS handles above a predetermined threshold; and
d3) if step d2) and d3) result in an identification of a ransomware process, killing the ransomware process.
22. The RMM (Remote Monitoring and Management) system operatively associated with monitoring and managing a plurality of devices according to claim 21 , wherein the plurality of devices include one or more of a PC (Personal Computer), desktop computer, tablet PC, a set-top box (STB), a Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a server, a network router, a switch, or a bridge.
23. The RMM (Remote Monitoring and Management) system operatively associated with monitoring and managing a plurality of devices according to claim 21 , wherein, if a RW-alert state is positive, the RMM agent module performs a second remediation method to identify and kill a ransomware process associated with the RW-alert, the second remediation method including:
e1) determining all running processes on the local device which are not included in an exclusion process list;
e2) of the determined running processes in step e1), create a process performance counter for each determined running process, the process performance counters tracking I/O (Input/Output) write bytes per second for each process;
e3) identifying one or more processes in step e2) with the highest relative counter values, indicating these processes include the most I/O intensive processes and are potential ransomware processes; and
e4) killing one or more of the processes identified in step e3).
24. The RMM (Remote Monitoring and Management) system operatively associated with monitoring and managing a plurality of devices according to claim 23 , wherein step e3) comprises:
taking a plurality of snapshots of the process performance counters and sorting the associated running processes by I/O activity level.
25. The RMM (Remote Monitoring and Management) system operatively associated with monitoring and managing a plurality of devices according to claim 21 , wherein the RD module is implemented as a dll (dynamic link library) call function.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.